Bugtraq mailing list archives
Re: Trend Micro's Vista "0day exploit auction" claim
From: Simple Nomad <thegnome () nmrc org>
Date: Wed, 20 Dec 2006 17:11:50 -0600
Uh, re-read my post. My point was that based upon somewhat recently prices on XP exploits, $50k for a Vista exploit did not surprise me one bit. Maybe not exactly the confirmation you or Roger were looking for, but I've seen high 5 figure offers for XP exploits for a while, I've heard of low 6 figure offers from multiple people I trust, and if I were a bad guy selling 0day I would certainly expect to get a decent price for Vista exploits -- particularly for non-client-side remote root. What Trend Micro is reporting on (at least I think) is that there was an individual or group that was offering up a 0day Vista exploit with a price tag of $50k, which is currently being "confirmed and evaluated" by a "trusted third party" (who will probably get a cut of the sale). Odds are it will go for less. Joke about it if you like, but it is practically 0bay out there. Some of the Russian boards are discussing this, like "is it really worth it" and "could they get more". Based on previous experience and the "talk on the street" (thanks to Google, and the Beta Google translation from Russian to English) I'd say it is real. IMO it is an attempt to drive up the price of future exploits. Now are Vista exploits actually going for $50k? No confirmation there, but someone is currently offering one for that amount, and it is possible they will get that much or even more. -SN On Wed, 2006-12-20 at 15:31 -0700, Drew Brown wrote:
Uh... Roger isn't talking about XP. He's talking about Vista. Re-read his post. I thought he was talking about XP at first too. And I wondered if the thing was valid myself. Drew On 12/20/06, Simple Nomad <thegnome () nmrc org> wrote: On Tue, 2006-12-19 at 21:55 -0500, Roger A. Grimes wrote: > I can't verify it. But $50K for an exploit against an OS that will not > be widely deployed for many months seems to be excessive. Who in their > right mind would want to pay $50K to exploit 10 machines before the > exploit is captured, sent to MS, and patched, all before the general > population really starts running it. > > It doesn't pass the commonsense test to me. A zero day on XP Pro would > be oh, so much more valuable. XP exploits *are* more valuable. Considering XP exploits already go for as much as twice that, $50k actually seems reasonable, or if not reasonable, at least what the market will bear. I haven't seen auction boards recently (in fact since fed crackdowns it is getting harder to get on some boards) and never saw Vista on there as it was before Vista's time, but I have seen large amounts. While up to 6 figures for a remote root XP exploit seems excessive, $50k for Vista does not strike me as outrageous, all things considered. Organized cybercrime, for lack of a better word, seems to be fairly well organized. An aggressive business person is willing to spend money to make money, so having multiple 0days for future business expansion would only make sense, particularly in an area with so much unlaundered cash floating around. If the ecommerce sites start moving to Vista and you have remote root on Vista, burning a 0day to hit a few dozen major sites and grab customer lists, CC #'s, etc is totally worth $50k. Another thing to bear in mind is that some of the value here may lie in something besides actual money. For example someone might be willing to trade a run of CC #'s for a Firefox exploit, and if each credit card would normally fetch $200, your exploit might be worth 50 credit card numbers which have a street value of $10k. If you were real good at carding you could easily turn this into twice or three times that. Otherwise the exploit might only be worth a couple thousand in actual cash. -SN
Current thread:
- Trend Micro's Vista "0day exploit auction" claim Ryan Meyer (Dec 19)
- RE: Trend Micro's Vista "0day exploit auction" claim Roger A. Grimes (Dec 20)
- RE: Trend Micro's Vista "0day exploit auction" claim Simple Nomad (Dec 20)
- Message not available
- Re: Trend Micro's Vista "0day exploit auction" claim Simple Nomad (Dec 21)
- RE: Trend Micro's Vista "0day exploit auction" claim Simple Nomad (Dec 20)
- RE: Trend Micro's Vista "0day exploit auction" claim Roger A. Grimes (Dec 20)
- <Possible follow-ups>
- Re: RE: Trend Micro's Vista "0day exploit auction" claim agoodhez1 (Dec 21)